[Opendnssec-user] Is split horizon DNS possible?

Casper Gielen c.gielen at uvt.nl
Thu Jul 5 11:53:25 UTC 2012

> On 04-07-12 16:39, Casper Gielen wrote:
> Oh, that is quite a show-stopper. Can anybody confirm that this is not possible?
> Does anybody have an idea for a workaround on how to use OpenDNSSEC in a scenario with split horizon DNS?

Confirmed, OpenDNSSEC is not compatible with split-dns.
ODS uses the name of the zone as an identifier. Two zones with the same 
name are not possible. I've not found a work-around other then running 
two copies of ODS.

However, realistically speaking, split-dns with dnssec is only of 
limited utillity. Split-dns is typically used to serve a different zone 
to 'internal' users that are on the same network as the DNS-server. Most 
often there is no seperate resolver involved. Even if there is a 
seperate resolver, the traffic between the client and the resolver is 
not secured.

My own reason for wanting to use split-dns in combination with DNSSEC is 
to keep my system simple. I don't want to treat the internal and 
external zones seperatly. I don't care about signing the internal zone, 
I just don't like making exceptions.

I've been told that ODS2 will contain support for split-dns and for 
unsigned zones.

Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl

More information about the Opendnssec-user mailing list